What do ISP "Middle Men" do?

EnthusiastXYZ

Limp Gawd
Joined
Jun 26, 2020
Messages
221
My ISP-provided Cable Gateway (modem+router device) is in Bridged mode to prevent Double-NAT and my personal router gets a Public IP, a Subnet Mask, a Gateway IP directly from ISP via ISP DHCP Server. TraceRT shows that between my router's Private LAN IP (192.X.X.X) and any destination, there are 3 other Private IP addresses (1 in 10.X.X.X range and 2 in 172.16.X.X-172.31.X.X range). All destinations are routed through those 3 Private IP addresses. I use Static Routing feature on my router to block those addresses. There is no other way to block specific IP's on my router. Blocking those 3 Private IP's does not affect being able to reach any website and TraceRT shows that those 3 Private IP addresses cannot be reached when I use Static Routing to block them.

My guess is that those 3 Private IP's are from my ISP, but what purpose do those Private IP addresses serve? Is there any reason not to block them?
 
The provider is just using private addresses to address their access network infrastructure, presumably in an attempt to reduce their consumption of public addresses. This is quite common with cable providers.

Blocking them will mean you no longer receive ICMP errors from those routers, but unless there is a MTU bottleneck (in which case ICMP errors are important for path MTU discovery), it's unlikely to cause any real problems.
 
Private IPs on ISP routers does not imply CGNAT, it's perfectly possible for a client to have a public IP, but the routers in between to have private ones.

The IPs on a plain router (not a NAT) aren't really used for much other than deciding what the next hop should be. The only IPs in the actual packet are the source and destination IPs.
 
most likely those are management IP's for the device, but the fact you say they are routed through those, and than you say it doesn't affect it when you block them doesn't make sense, especially if it is the first Hop to your ISP gear, FYI static routing isn't blocking anything, it is just bypassing things, but not blocking. My guess is that the reason it still works is because you're in bridged mode so it 'just works', but it's common for ISP's to have two IP addresses to Customer Equipment(CE) gear. One provided for customers internet, and the other to manage a device(add firmware updates etc), now they can usually also manage through the public IP they give you as well, but it's more common(and correct IMHO) to manage through a separate management network.
 
most likely those are management IP's for the device, but the fact you say they are routed through those, and than you say it doesn't affect it when you block them doesn't make sense
It makes perfect sense.

A regular router (not a NAT) does not put it's own IP (or one of it's own IPs, most routers will have more than one) into the data packets it forwards. So blocking it's IP will not effect regular data traffic. Even a NAT only puts it's own IP into packets on the internet side, not into packets on the LAN side.

Blocking traffic from a router in the path will affect ICMP errors*. That means you won't see it in traceroute and may cause problems if the router is at a MTU constriction, but otherwise it is unlikely to cause any noticeable problems.

Regarding static routing, it can be used to blackhole traffic TO an IP address, but unless reverse path filtering is in use it won't block traffic FROM an IP address.
 
Whenever I put my ISP-provided Gateway in Bridged mode, my personal router begins receiving Fraggle Attacks from ISP's Private 10.X.X.X address, the hop immediately after the Gateway hop, on Port 67. It is most likely a false positive that my router detects and manufacturer forums report similar issues. Whenever I use Static Routing and input that 10.X.X.X address, that Fraggle Attack report stops. I guess those Fraggle attacks can be improperly-detected ICMP errors, but personal router options are set to not allow pings from WAN. There is no MTU discrepancy anywhere.

If I use Static Routing to block my Gateway (set to NAT mode), will the NAT function and custom Port-blocking profile for that Gateway still have an effect?
 
Holy crap...smurf attack and now fraggle attack...who is naming this stuff and what channel where they watching every sat morning? :eek:
 
Is setting Static Route IP 10.0.0.0 with subnet 255.0.0.0 supposed to block the entire 10.0.0.0-10.255.255.255 range? That is how it works with firewall settings, but it doesn't do that for Static Routes. The only way to block an IP via Static Routes options on this router is to specify the exact IP, specify subnet 255.255.255.255, and metric of 2 or above. I also know that the 10.X.X.X "Fraggle Attack" is only a response to outbound ICMP packets. If I disable outbound ICMP, router log doesn't show any inbound attempts from that private IP.

Once in a while, traceroute shows other private non-ISP IP's along the way to some destinations. It isn't that uncommon these days, but many guides advice to drop packets from all private IP's (except the ones on your local network) in firewalls to prevent spoofing attacks.
 
static routes don't block anything....static routes just tell a router what hop to go to next.....that's it. I doesn't prevent asymmetric routing, it doesn't mean that they can't get to the same address via a different way, static routes shouldn't be used for security purposes, that's not their job. That's a FW's job. start at the bottom right, and move up counter clockwise to follow. FYI In Real Life, private IP's would never be on the internet, and instead would be NAT'd to a public IP, but I eliminated that for simplification, the concept is the same.

.
Bad static routing.png
 
Last edited:
ISP middle men don't do anything near as I can tell. That's why I don't use them.
 
static routes don't block anything....static routes just tell a router what hop to go to next.....that's it. I doesn't prevent asymmetric routing, it doesn't mean that they can't get to the same address via a different way, static routes shouldn't be used for security purposes, that's not their job. That's a FW's job. start at the bottom right, and move up counter clockwise to follow. FYI In Real Life, private IP's would never be on the internet, and instead would be NAT'd to a public IP, but I eliminated that for simplification, the concept is the same.

.View attachment 325293

I assume the image is made for me - thank you! Asymmetric routing seems very insecure...
1. Does TraceRoute only show outbound packet routes? Would it not show if the inbound packets from established outbound connections use routing that is different from outbound routing? How would I detect whether the traffic back to me is re-routed to evil routers before reaching my router?
2. Are software firewalls (Windows Firewall, IPTables) supposed to somehow detect and block inbound traffic if it is re-routed via IP addresses that blacklisted?
3. How does asymmetric routing affect VPN tunnels? If the original connection to VPN tunnel hopped directly from my router to VPN server, then could inbound packets to that established VPN server connection be re-routed via evil routers on the way back to my router?
4. What do you mean in Real Life? My ISP isn't the only one using private IP addresses on the internet. Every once in a while TraceRoute detects private IP addresses even within VPN tunnels half way to their destinations and I am not talking about virtual adapter private IP addresses.

I do understand that Static Routing shouldn't be used for security purposes, but aside from VPN's, what are alternatives? With Static Routing you can at least prevent initial connections to evil routers...
 
Last edited:
BTW, does routing depend on NAT type a person is using? If my router uses a Strict Symmetric NAT, then wouldn't routing also be symmetric? How can I test whether the NAT type if symmetric or not?
 
I assume the image is made for me - thank you! Asymmetric routing seems very insecure...
Routing has nothing to do with security, it's only job is to get packets from one destination to another, Asymmetric isn't insecure, it can be inefficient and a PITA to troubleshoot, but again, no one typically uses routing as a security measure, i'm sure there are exceptions, but that's not what it's designed for.
1. Does TraceRoute only show outbound packet routes?
Traceroute, just reports what router it sees next in the path, it's very common for you to run a traceroute to the very same destination and have it take different paths, it just depends on what path is currently preferred

Would it not show if the inbound packets from established outbound connections use routing that is different from outbound routing?
Traceroute doesn't keep track of what connections are established, it simply hops from one router, reports back "hey i'm here now" and continues to the next reports "hey i'm here now" and so on

How would I detect whether the traffic back to me is re-routed to evil routers before reaching my router?
You typically wouldn't be able too, this is out of your control, i'm sure there are ways with scripts to have a constant traceroute running and then queue off some process when you detect a particular IP address, but it would be inefficient and wouldn't really do much and would be easily bypassed, you just need to accept the fact that there are bad things on the internet, and your traffic may cross them.

2. Are software firewalls (Windows Firewall, IPTables) supposed to somehow detect and block inbound traffic if it is re-routed via IP addresses that blacklisted?
There is nothing magic about it, you tell the firewall "hey if you see packets from here, don't process them and drop them"
3. How does asymmetric routing affect VPN tunnels? If the original connection to VPN tunnel hopped directly from my router to VPN server, then could inbound packets to that established VPN server connection be re-routed via evil routers on the way back to my router?

Nothing special about VPN packets verse any other packets, they will travel over the internet and establish a connection end-to-end, after they are established, they'll stay up(typically) and encrypt traffic that is traversing other routers
4. What do you mean in Real Life? My ISP isn't the only one using private IP addresses on the internet. Every once in a while TraceRoute detects private IP addresses even within VPN tunnels half way to their destinations and I am not talking about virtual adapter private IP addresses.

Private IP's aren't publically routable on the internet, you'll sometimes see them in traceroute because you'll hit a routers public IP and than they will NAT that to a private IP(internal to their network), it may bounce around their network for a bit, than it will again be NAT'd to a public IP before going from on AS to another, and they may NAT back to a private IP as well, it's not that uncommon.

I do understand that Static Routing shouldn't be used for security purposes, but aside from VPN's, what are alternatives? With Static Routing you can at least prevent initial connections to evil routers...
Static routing IMHO shouldn't ever be used for security reasons, and could actually even be considered a security risk. How? Arp spoofing that one IP you think is safe...
 
Thank you for the explanation!

I am still a bit confused about some aspects:
1. If it is typically unknown whether traffic back is re-routed through evil routers, then how can a firewall help you?
2. Does Asymmetric Routing affect already-established connections? If the original connection is made bypassing the evil router hop, then that already-established connection's inbound packets can't use the evil routers, can they?
3. Wouldn't Symmetric NAT's prevent Asymmetric Routing?
 
What about using static routes to a static public DNS server by assigning a Metric of 1 to that address?
 
One of the "evil routers" is my ISP's local Cisco CMTS.
You literally can't do anything to prevent your ISP from routing over whatever router they want to, what you can do is use a VPN so when the traffic is routed over it, than your traffic will be encrypted, that's why the say VPNs help prevent your ISP from tracking you. Trying to use static routing to avoid certain certain devices out on the web that you don't own, is like telling your mother-in-law that she should avoid all freeways, depending on where she is going she may or may not listen, and you really have ZERO control where she goes once she leaves your home
 
Browserleaks.com reports how many hops it takes to reach it from my public IP address, but ICMP is always disabled. How does a website verify the number of hops and how can I view those hops without ICMP? TraceRT and PING commands from Windows require ICMP to be enabled.
 
Browserleaks.com reports how many hops it takes to reach it from my public IP address, but ICMP is always disabled. How does a website verify the number of hops and how can I view those hops without ICMP? TraceRT and PING commands from Windows require ICMP to be enabled.
You can't, browserleaks is using what is reported to it, and that can be modified, for example in my house if you're coming from my GW into my network from my GW to my PC it appears to be 12 hops, when in reality it is only one, i have a FW that drops any packets under a certain TTL, tracert uses TTL so you knoe those *.*.*.* you see when running a tracert...you get 12 from my FW until the TTL is high enough than you get a response from my FW, in short you don't control the internet is ISP middle men do(and than only within our own AS) and the only thing that will help in amy sense is a VPN and making sure your applications are patched, and yes using things like pi-hole can help as well
 
TraceRT uses ICMP. If ICMP is disabled, TraceRT doesn't work. Browserleaks gets the information from somewhere and that somewhere doesn't use ICMP because I have it disabled everywhere, including VPN. I just want to know how it can count hops without ICMP and then do the same to count my hops to anywhere else, regardless of VPN use, but without ICMP.
 
TraceRT uses ICMP. If ICMP is disabled, TraceRT doesn't work. Browserleaks gets the information from somewhere and that somewhere doesn't use ICMP because I have it disabled everywhere, including VPN. I just want to know how it can count hops without ICMP and then do the same to count my hops to anywhere else, regardless of VPN use, but without ICMP.
Any other number of ways, cookies would be one, but focusing on hops as some sort of security mechanism makes zero sense and it isn't something you can control end of story period.
 
Purely out of experimentation, I added specific DNS addresses, such as Google's 8.8.8.8 DNS address, and other private/reserved IP address ranges (which should not be encountered on the Internet) to my Static Routes router settings. That action made the mentioned IP ranges unreachable 100% of the time. Blocking IP addresses wasn't the purpose of Static Routes, but HTTPS was not meant to transport DNS either. Yet DNS-over-HTTPS as an actual standard did happen.

I noticed only one funky problem with Static Routes. When I added 198.18.0.0-198.19.255.255 (a reserved IP range meant for benchmarking) to Static Routes, my router began a continuous cycle of ARP "Who is 198.18.53.53? Tell me!" requests. That didn't happen to any other addresses, only 198.18.53.53. Static Routes or not, that IP was not reachable over WAN and didn't exist on my LAN/WLAN either, but then why did my router initiate ARP requests to that IP?
 
Fire TV 4K on UniFi Dream Machine does almost the same thing. It doesn't use ARP to ask "Who is 198.18.53.53? Tell me!", but TCPDump shows Fire TV 4K tries to contact 198.18.53.53 exactly every 5 minutes. I have no static routes anywhere now and 198.18.0.0-198.19.255.255 (a reserved IP range meant for benchmarking) is simply blocked in UDM firewall (for inbound, outbound and all local). What a strange thing...!
 
I am finding more and more articles about performance advantages of using static routing to blackhole unwanted IP's:
One problem of packet filtering is performance because the router must examine packet headers to make a filtering decision, thus adding some overhead to the processing of the packets.

A complementary solution to both routing and filtering is to use black hole routes.
https://etutorials.org/Networking/R...col+Protection/Static+and+Black+Hole+Routing/

I guess that Netfilter filtering occurs after routers take static routes into consideration?
 
Back
Top